How do trust S/MIME certificate in Office 365?
Unlike OWA running on Exchange, Office 365 does not trust any root certificates by default. This causes validation problems when opening digitally signed email using S/MIME. In order to fix this, the Office 365 administrators for your organization must manually import the root certificates your organisation chooses to trust using Microsoft Serialized Certificate Files (*.SST). This article describes this process.
There are two ways to obtain an SST file.
You can obtain an SST file by running the following command:
PS C:\> Get-ChildItem -Path cert:\CurrentUser\my |
Export-Certificate –FilePath c:\certs\allcerts.sst -Type SST
Alternatively, you can obtain an SST file from your computer using the Certificate Export Wizard.
First you must connect to
Office 365 using PowerShell. Below describes how to do this:
On the local computer, open Windows PowerShell and run the following commands:
$UserCredential = Get-Credential
In the Windows PowerShell Credential Request dialog box, type in your Exchange Online user name and password and the click on OK.
Run the following command:
$Session = New-PSSession -ConfigurationName Microsoft.Exchange
-ConnectionUri https://outlook.office365.com/powershell-liveid/ -Credential
$UserCredential -Authentication Basic -AllowRedirection
Next run this command:
Import-PSSession $Session -AllowClobber
Connect-MsolService -Credential $UserCredential
The Exchange Online cmdlets should be imported into your local Windows PowerShell session. If you don't receive an error, you can verify this has worked by using the following command:
If the Get-Mailbox command works, then you are connected to Office 365 successfully.
Once you are connected to Office 365 via
PowerShell, you will then need to import the SST using the following
Set-SmimeConfig -SMIMECertificateIssuingCA (Get-Content
<filename>.sst -Encoding Byte)
After the SST is installed, you will need to get Dirsync to synchronize using the DirSyncConfigShell and then start-onlinecoexistencesync. This process generally happens automatically after 30 mins.
When you are finished, it is important to close out the session. You can do this by running the following command:
When the Dirsync hsa completed, any certificate issued out of a CA that you have imported should chain up and be trusted.